Is there any way I can protect my site from people using zspoof /
supermegaspoof etc. to spoof the referrer header?

Any help much appreciated,

Thanks, Jon.

kops wrote:


Beside that I never heared of this weird stuff (any normal person would use
the refspoof extension for Mozilla, the referer form field in his download
manager, or wget --referer=), the obvious answer is NO.

From the view of your server, there's absolutely no difference between a
normal HTTP request with the correct Referer field being set by the
webbrowser due to actual reference, and a crafted field being set by anyone
else with knowledge the intended reference.

"Sebastian G." <seppi@seppig.de> wrote in message
news:5c5b4vF2tkjkoU1@mid.dfncis.de...
Hi Sebastian and thanks for the response. While it might be obvious to you,
it isn't to me so please bear with me

So from what I understand, the only way around this if I have a ring of
sites would be to ask each user to authenticate seperately at each site
rather than using the referral method?

Thanks again,

jon

kops wrote:


I don't understand what you mean. Referrers are an open secret to anyone who
has already been authenticated somewhere, and can be transferred freely
among users. Passwords and any other kind of authentication are essentially
the same, any user can post them publicly so other can gain access to the site.

I think your problem is that your referrers are
a) easily guessed
b) not properly validated
c) not valuable to any authenticated user

"kops" <kops@kops.com> (07-05-30 12:40:05):

Not through the Referrer field itself. You need to somehow encode the
referring page URI into the request, and you need to do this properly.
This means that all pages need to be dynamically generated, and all
references in the pages need to be rewritten to include something like
"ref=PAGE-ID" in the query string part.

Technically that's easy to accomplish (e.g. using Apache's mod_perl),
but it will only work around Referrer spoofing. It will not prevent the
user from spoofing the `ref' query field itself, or just typing in the
URL in question manually.

Further beware of bookmarking or `URL pasting'. You will get wrong
things logged. To overcome this, you could use POST instead of GET, but
that's the wrong way to go, because POST is not intended to be used for
such purposes. And it would only work in forms, which is bad, too.

If you place such an importantance into the knowledge of the Referrer,
then you have to force every user to register and login, and use
cryptographical methods. I cannot imagine any scenario, where such an
overkill is necessary.

By the way, both methods I presented here are intra-site methods. They
will not work for inter-site references, unless the remote site
implements the same scheme.

In other words, don't rely on the Referrer at all. Live with the fact
that it can be spoofed, because you can't prevent it reliably. For
things like ad-click counters, encode the corresponding information in
the URI, but don't rely on Referrers or home-grown techniques.


Regards,
Ertugrul Söylemez.


--
Security is the one concept, which makes things in your life stay as
they are. Otto is a man, who is afraid of changes in his life; so
naturally he does not employ security.

Thank you both for your help